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Vulnerabilities are Low Hanging Fruit 


Early 2010s 
Zero-day Vulnerabilities 


Today 
Rapidly weaponizing newly-disclosed vulnerabilities 
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Known Critical Vulnerabilities 
are Increasing 


Vulnerabilities 
6-7K vulnerabilities are 9,000 
disclosed each year id 
30-40% are ranked as “High” nane 
or "Critical" severity a 
"Mean Time to Weaponize” is 9%% : 
rapidly decreasing y/y yo 


2011 2012 2013 2014 2015 2016 
=Total "High (CVSS 7-10) 
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Vulnerability Management Lifecycle 


Asset | Vulnerability 
Inventory a ap, _— Management 
$ | 
4 =e ™ Threat Risk and 
Patch Prioritization 
Management 
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Vulnerability Spread at Speed of DevOps 


y9) Search resources, services, and docs 


Create a resource Virtual machines S Compute 


Default Direc 


All services 


Edit columns *** More 


F. RITES 


resource groups 
NAME 


Red Hat 7.4 


Marketplace 


Recommended 


App Services 
EJ RHEL74-CC1-Azure 


Function Apps EJ RHEL75-CC2-Azure 


SOU databases EJ RHEL75-CC3-USEast2-Azure 


Azure Cosmos DB 


J ; Windows Server Red Hat Ubuntu Server SQL Server 2017 
Virtual machines Enterprise Linux Enterprise 
Microsoft RedHat Canonical Microsoft 
Load balancers 
| Storage accounts Virtual Machine Images 
Virtual networks 
Azure Active Directory ( luest ( luest 
Monitor 
inte Unified RemoteScan Pivotal Cloud Aqua Container 
op Communications Enterprise Foundry on Security Platform 


Quest Software Q Quest Software Aa Pivotal Software... A Aqua Security a 


Security Center 


Auto-Deploy Qualys Cloud Agen 


Create a resource Security Center - Security solutions 


All services " Y Filte 


I} Security g a v Connected solutions (1) 


OURCE SECURITY HYGIENE 


Function Apps 
K Recommendation g QualysVal 
SQL databases 


b f 
P Azure Cosmos DB 
EI 
Virtual machines © Healthy 
Wi Data & stor 
Load balancers 
fà e 


VIEW 


Storage accounts 


Virtual networks 
v Add data sources (5) 
g Security alerts nnect your security ition to Azure Se 


Q Azure Active Directory 


Monitor 


, 2 Non-Azure computers Common Event Format 

Advisor @ Security alerts map (Preview +t 
MICROSOFT ANY P SHER 
Securrty Center 
AUT ORCHE 
Cost Management + B... Al Playbooks (Pre t t rte £ 
wer ful fea Alert R Threa ; 

Help + support er 

f PF ADVANCED CLOUD DEFE 
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Vulnerability Results 


RHEL74-CC1-Azure 


View Mode Vulnerabilities 


Asset Summary Select the severity you would like to view by: 


Seon times seen) $a 


Agent Summary Confirmed Vulnerabilities Potential Vulnerabilities 


24 View j 


B sev5 1 B sev5 0 
3 View 

@ sev4 16 B sev4 0 

B sev3 7 B sev3 3 


Network Informati 
Open Ports 
Installed Software 
Vulnerabilities 


Vulnerability Detection by Status In the last 7 Days 
Threat Protection RTIs 


File Integrity Monitoring Active Reopened Fixed 


Indication of Compromise 2 7 0 


Alert Notifications d C Confirmed 


Potential 


Azure VM Information 
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Threat Protection: Exploitability Opportuni 


View Mode Threat Protection Summary 


Asset Summary Total Vulnerabilities by RTIs 


E Zero Day ® High Lateral Movement 10 


System Informatio! 72 4g a». B® Easily Exploitable @ High Data Loss 13 
B 


Agent Summary Unpatchable ® Vulnerable to DOS 10 
® Active Attacks 


Network Information Bl Public Exploit 14 


Open Ports 
Installed Software 


LATEST THREATS FROM LIVE FEED 


Vulnerabilities . 
Title Published 


Threat Protection RTIs OpenSSH User name Enumeration Vulnerability : CVE-2018-15473 8/29/2018 
L1 Terminal Fault /Foreshadow Attack aka L1TF Attack 

Possono PoC Exploit available for CVE-2018-15473 

Indication of Compromise PoC Exploit available for CVE-2018-15473 
PoC Exploit available for CVE-2018-15473 8/20/2018 
PoC Exploit available for CVE-2018-15473 8/20/2018 

Azure VM Information PoC Exploit available for CVE-2018-15473 8/15/2018 
PoC Exploit available for CVE-2018-15473 
SegmentSmack: CVE-2018-5390 


Alert Notifications 
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Get Proactive - Reduce the Attack 
Surface 


Immediately Identify Vulnerabilities in Production 
Notify IT Asset Owner to Patch/Stop the Instance 


Control Network Access / Cloud Security Groups 


Add Detection and Response - Endpoint & Network 
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Proactively Hunt, Detect, and Respond 


Indication of 
Compromise E 


Passive Network 
Sensor 


Detect IOCs, IOAs, and 
verify Threat Intel 


What new devices are on the 
network? Are there new/ 
different traffic patterns? 
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Qualys IOC Use Cases - 
Visibility Beyond AV 


Threat Intel Verification 


Threat Intel Feeds / Mandated to Verify 
“Is this hash, registry, process, mutex on my 


network?” 


API 


Integration 


“Look Back” Investigation 
after a known breach 


Go back over months of stored events and 


find the first occurrence of a breach 


SIEM 


Hunting / 
Find Suspicious Activity 


Indicator of Activity hunting with pre-built 
and user-defined queries for Fileless attacks 


Detect Known/Unknown 
Malware Family Variants 


Using Qualys Malware Labs behavior models 
and Threat Feeds (OEM, customer) 
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Organizations Struggle to Answer Basic Questions 


Are these hashes on/running in my network? 
Are these mutexes / processes / registry keys? 


Did any endpoints connect to these IPs / Domains? 
Are there any connections to TOR exit nodes? 


What system is the first impacted? “Patient Zero” 
Did this soread to others systems? When? 
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Threat Intel Verification 


e Search for the file hash 


October 6, 2017 noe a 


NotPetya Ransomware spreading using ETERNALBLUE Vulnerability and Credential Stealing 


On June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and 
affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files 


x x " Indication of Compromise DAS RD HUNTING DE ETS Qualys Demo (quays. ad) 
with extensions from a hard-coded list. P 


Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making Hunting 
the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in 

its propagation methods using the ETERNALBLUE vulnerability and credential stealing via a modified d926e76030f19f1f7efüb3cdla4e8efo Last7Days Y 
version of Mimikatz. 


Technical Details 2 
Total Event- 
Anti-Virus Coverage 


VirusTotal reports 0/66 anti-virus vendors have signatures for the credential stealer as of the 


date of this report 
NO REMAINING FILTERS 


OBJECT ASSET 
Delivery — MD5: 71b6a493388e7d0b40c83ce903bc6b04 


Installation — MD5: 7e37ab34ecdcc3e77e24522ddfd4852d ae ee E svvchost. 


WIN2008R2-11566 
nés j 
Credential Stealer (new) — MD5: d926e76030f19f1f7ef0b3cd1a4e80f9 


a day ago E) svvchost.exe WIN7-320860-T44 
57 PM 793972740527 4 


Secondary Actions 


NotPetya leverages multiple propagation methods to spread within an infected network. 
According to malware analysis, NotPetya attempts the lateral movement techniques below: 


1) Threat Intelligence lists attack © Find the object there. 
information ... 
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Malware Hides with Stolen Code-Signing 
Certificates 


welivesecurity © cm 


Certificates stolen from 
Taiwanese tech-companies 


misused in Plead malware 
campaign 


D-Link and Changing Information Technologies code-signing certificates stolen and abused by highly 
skilled cyberespionage group focused on East Asia, particularly Taiwan 


https:/www. welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/ 
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New IOC CVE - File Reputation Threat 


Feed 


Find Vulnerabilities 


Verify that 
vulnerabilities have 
been remediated 


TP 


Real-Time Indicators 
for which 
vulnerabilities have 
known / POC exploits 


Prioritize vulnerability 
remediation on 
likelihood of attack 


Threat Feed of 
malware hashes used 
in real-world 
vulnerability exploits 


Prioritize vulnerability 

remediation based on 

successful attacks in 
your network 
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Indication of Compromise 


Threat Intel Verification 
Hunting 
Alerting 
Create Emergency Patch Job from CVE Exploitation 


18fclb9b29a2d28lec9S1OF9F226ad77eScb9c558f696c37390bbac/2baa8ba8 
168.63.129.16 


Qualys Cloud Agent 


IT, Security, Compliance Apps 


Ø Asset Inventory 

Vulnerability Management 

Policy Compliance 

Indication of Compromise Detection 


e File Integrity Monitoring 


Upcoming IT App (Beta November 2018) 


e Patch Management 


E Micro 


B moo 


DC C... 


Agent Modules 


Tags 
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Cloud , 
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Cloud , 
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Cloud , 
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